The user the CGI program executes as must have a uid of 100 or greater. This prevents anyone from using Cgistub to obtain root access.

The CGI program must be owned by the user it is executed
as and must not be writable by anyone other than its owner. This makes
it difficult for anyone to covertly inject and then remotely execute
programs.

Cgistub creates its UNIX listen
socket with 0700 permissions.

Note –

Socket permissions are not respected on a number of UNIX
variants, including current versions of Sun operating systems/Solaris.
To prevent a malicious user from exploiting Cgistub,
ensure that the server's temporary directory is set (using the server.xmltemp-path element) to a directory accessible
only to the server user.

To Install the suid and Cgistub Directories

You cannot install the suidCgistub program
on an NFS mount. If you want to use an suidCgistub, you must install your server instance to a local file
system.

Log in as a superuser.

Create the private directory for Cgistub in the install-dir/https-instance/private directory:

Specifying a Chroot Directory
for a Virtual Server

To further improve security, the CGI scripts must be prevented
from accessing data above and outside of the document-root directory.

Before You Begin

Set up the chroot environment. The exact
steps required to set up the chroot environment
vary by operating system. For instructions, refer your operating system’s
documentation, and see the man pages for the ftpd and chroot commands.

Steps required for Solaris versions 2.8 through 10 are described
in the following procedure:

Log in as a superuser.

Change to the chroot directory.

chroot is typically the document-root directory of the virtual server.

cdchroot

Create tmp in the chroot directory
and set appropriate permissions.

mkdir tmp

chmod 1777 tmp

Create dev in the chroot directory
and set appropriate permissions.

mkdir dev

chmod 755 dev

List /dev/tcp, and note the major and
minor numbers of the resulting output.